US20040139202A1 - Grid computing control system - Google Patents

Grid computing control system Download PDF

Info

Publication number
US20040139202A1
US20040139202A1 US10/340,436 US34043603A US2004139202A1 US 20040139202 A1 US20040139202 A1 US 20040139202A1 US 34043603 A US34043603 A US 34043603A US 2004139202 A1 US2004139202 A1 US 2004139202A1
Authority
US
United States
Prior art keywords
grid
session
user
monitoring
command
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US10/340,436
Other versions
US7421500B2 (en
Inventor
Vanish Talwar
Sujoy Basu
Rajendra Kumar
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hewlett Packard Enterprise Development LP
Original Assignee
Hewlett Packard Development Co LP
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hewlett Packard Development Co LP filed Critical Hewlett Packard Development Co LP
Priority to US10/340,436 priority Critical patent/US7421500B2/en
Assigned to HEWLETT-PACKARD COMPANY reassignment HEWLETT-PACKARD COMPANY ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: BASU, SUJOY, KUMAR, RAJENDRA, TALWAR, VANISH
Assigned to HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P. reassignment HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HEWLETT-PACKARD COMPANY
Assigned to HEWLETT-PACKARD DEVELOPMENT COMPANY L.P. reassignment HEWLETT-PACKARD DEVELOPMENT COMPANY L.P. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HEWLETT-PACKARD COMPANY
Publication of US20040139202A1 publication Critical patent/US20040139202A1/en
Application granted granted Critical
Publication of US7421500B2 publication Critical patent/US7421500B2/en
Assigned to HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP reassignment HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.
Expired - Fee Related legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/30Definitions, standards or architectural aspects of layered protocol stacks
    • H04L69/32Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
    • H04L69/322Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
    • H04L69/329Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the application layer [OSI layer 7]

Definitions

  • Embodiments of the present invention relate to a grid computing environment, and more particularly to access control and account management of an interactive session.
  • Grid computing is a method of harnessing the power of many computational resources in a network.
  • Grid computing is a distributed computer infrastructure involving large-scale sharing, innovative applications and/or high performance processing and network bandwidth.
  • the grid computing environment comprises a plurality of heterogeneous computing nodes distributed across multiple administrative domains.
  • Multiple virtual organizations e.g., VO X, VO Y, VO Z
  • a node (hereinafter also referred to as a computing resource) may be a part of several virtual organizations.
  • An end-user e.g., USER M, USER N, USER O
  • USER M, USER N, USER O may need to access remote nodes either in the same administrative domain 105 or across domains 110 , 115 , and may desire interactive sessions with these nodes.
  • the interactivity may be either graphical or text-based.
  • Exemplary interactive session may include, graphics visualization applications, engineering application like computer aided design or mechanical computer aided design (CAD/MCAD), digital content creation, streaming media, video games, text editing, command line interactions, e-mail applications, and the like.
  • CAD/MCAD computer aided design
  • the end-user should also be able to view the graphical and multimedia output of the submitted jobs and application through such graphical interactive sessions.
  • the interaction of the enduser with the remote node may also involve the execution of both installed applications and user specified binaries.
  • Access control to remote nodes is challenging in a grid interactive environment. Malicious users might take advantage of the interactivity by identifying and exploiting potential security loopholes. For example, malicious users may be able to submit unauthorized jobs to the remote machine. Session and account management is also challenging in a grid interactive environment. Without access control during an interactive session, an end-user may be permitted unrestricted access time to the remote node. Furthermore, quality of service and/or other performance metrics are difficult to deliver in graphical interactive sessions.
  • a grid computing infrastructure that can hide the complexities of resource management from the user and that can provide secure graphical and multimedia interactive sessions would be an improvement over the conventional art.
  • Embodiments of the present invention provide a method for grid computing access control and a system thereof.
  • a command is received from a user.
  • the authorization of the user to execute the command is verified.
  • a system parameter is monitored during execution of the command.
  • FIG. 1 shows a grid computing environment according to the conventional art.
  • FIG. 2 shows a block diagram of a system providing access control for graphical interactive sessions in a grid computing environment, in accordance with one embodiment of the present invention.
  • FIG. 3 shows a block diagram of a grid interactive shell, in accordance with one embodiment of the present invention.
  • FIG. 4 shows a block diagram of a grid monitoring system, in accordance with one embodiment of the present invention.
  • FIG. 5 shows a diagram of system policy file classifications, in accordance with one embodiment of the present invention.
  • FIG. 6 shows system policy files in accordance with an exemplary embodiment of the present invention.
  • FIGS. 7 A- 7 B show a flow diagram of a process performed by an access control system, in accordance with one embodiment of the present invention.
  • Embodiments of the present invention provide an access control system supporting graphical interactive sessions on a grid computing environment.
  • the access control system comprises a grid interactive shell and a grid monitoring system.
  • the grid interactive shell restricts access permission to execute requested applications and commands submitted interactively by an end-user.
  • the grid interactive shell may also check system resources for provisioning quality of service guarantees before allowing an application to run.
  • the grid monitoring agents monitor the system and session parameters so as to enforce the access control policies during a graphical interactive session.
  • the grid computing control system comprises a grid interactive shell, for receiving a request to execute a command and/or application on a computing resource, a grid monitoring system, and a plurality of system policy files.
  • the grid interactive shell is coupled to an operating system of the computing resource.
  • the grid monitoring system is coupled to the interactive shell and the operating system of the computing resource.
  • the plurality of system policy files are coupled to the grid interactive shell and the grid monitoring system.
  • the grid interactive shell comprises a command interpreter, for parsing said command.
  • An access control subsystem for verifying a first plurality of system and session parameters, is also provided by the grid interactive shell.
  • the access control subsystem comprises one or more modules such as an executables and file access control module, a user binaries module, a session access control module, a quality of service access control module, and/or the like.
  • the grid monitoring system comprises a plurality of monitoring agents, for monitoring a second plurality of system and session parameters.
  • the grid monitoring system also includes a log file, for recording a plurality of system and session data.
  • the grid monitoring system comprises one or more modules such as a session specific policy module, a quality of service guarantees module, an intrusion detection module, an intrusion prevention module, and/or the like.
  • FIG. 2 a block diagram of a system 200 providing access control for graphical interactive sessions in a grid computing environment, in accordance with one embodiment of the present invention, is shown.
  • access control between commands and/or applications 210 and an operating system kernel 220 , is provided by a grid interactive shell 230 , system policy files 240 and a grid monitoring system 250 .
  • the access control system 200 provides end-users an interactive shell called the grid interactive shell 230 .
  • the grid interactive shell 230 restricts access permission to execute requested applications and commands submitted interactively by an end-user.
  • the grid interactive shell 230 may also allow end-users to log onto a remote node.
  • the grid interactive shell 230 may also check system resource for provisioning quality of service guarantees before allowing an application to run.
  • the grid monitoring system 250 provides for actively monitoring the system and session parameters so as to enforce session, application, and user policies during execution of user requested commands and/or applications.
  • the grid monitoring system 250 also interfaces with the grid interactive shell 230 , to provide relevant system and session information.
  • the system and session information enables the grid interactive shell 230 to make access control decisions based on dynamic information gathered from the system.
  • the system policy files 240 are used by the grid interactive shell 230 and the grid monitoring system 250 to enforce the access control policies.
  • the system policy files contain policy rules and data for each session and/or user.
  • FIG. 3 a block diagram of a grid interactive shell 310 , in accordance with one embodiment of the present invention, is shown.
  • the grid interactive shell 310 comprises a command interpreter 320 and an access control subsystem 340 .
  • the grid interactive shell 310 is an extension to a command shell.
  • the grid interactive shell 310 accepts commands for execution.
  • the grid interactive shell 310 also accepts requests to execute applications that are already installed on the remote machine by a system administrator.
  • the grid interactive shell 310 may also accept request to execute applications that are not already installed on the remote machine and are user specified binary files.
  • a request to execute an application may be given in the form of a command.
  • an end-user submits a request to start a command or application 305 to the grid interactive shell 310 .
  • the command 305 is first parsed by the command interpreter 320 , and then passed onto the access control subsystem 340 .
  • the access control subsystem 340 performs various access control checks. If one or more access control checks fail, a failure message is returned back to the user and the request to start the application and/or command is denied. If the access control subsystem checks succeed, then the command and/or application is started by the grid interactive shell and the graphical output, if any, can be viewed through a remote graphical display.
  • the access control subsystem 340 may comprise a plurality of modules such as: an executables and files access control module 350 , a user binaries access control module 360 , a session access control module 370 , a quality of service access control module 380 , and/or the like.
  • the executables and files access control module 350 verifies that the requested command and/or application does not belong to a list of disallowed executables, is not invoked with a list of disallowed arguments and/or options, and/or does not access disallowed files and directories.
  • the executables and files access control module 350 may also attempt to determine the files and directories that would be accessed, and compares them with the list in the system policy file 385 . In an optional feature of the present embodiment, verification may be enforced through the system policy file 385 , which enumerates the list of disallowed executable, disallowed executable arguments, disallowed files, and/or disallowed directories for the user.
  • the user binaries access control module 360 is responsible for verifying a trusted signature for user specified binaries.
  • a user binary is typically an application that the user wishes to load onto a grid resource.
  • the module checks a user signature from an existing trusted service. Alternatively, if an existing trusted service is unavailable to the user, the present embodiment may provide a virtual machine environment for executing the user's binaries. The decision to allow a virtual machine environment may be controlled based on a system policy file 385 for the user.
  • the session access control model 370 verifies that the requested command and/or application does not violate session specific policies, such as usage time for the session, maximum number of processes and/or applications launched during the session, maximum number of socket connections allowed during the session, and/or maximum disk quota used during the session.
  • session specific policies such as usage time for the session, maximum number of processes and/or applications launched during the session, maximum number of socket connections allowed during the session, and/or maximum disk quota used during the session.
  • the grid interactive shell 310 may be provided with the current usage values for these parameters by the grid monitoring system 390 .
  • the policy and actions to be taken on violation of the session policies may be specified in another system policy file 385 .
  • the quality of service access module 380 verifies that the requested command and/or application would not violate quality of service guarantees for itself and/or other running jobs. The module verifies that system resources are available to meet quality of service guarantees for the requested command and/or application. If the requested application cannot be provided sufficient system resources, the quality of service access module 380 may deny access to execute the application and notify the user of the failure.
  • another system policy file 385 may be utilized to determine quality of service levels.
  • a system policy file 385 may contain information about the acceptable quality of service guarantee levels for each application. Each such quality of service guarantee levels would translate to specific system resource requirements.
  • the quality of service access module 380 may first verify if executing the requested command and/or application with the quality of service guarantee requirement level, will exceed the advanced reservation limits. If so, or if there is no advance reservation in place, the quality of service access control module can interface with the grid monitoring system 390 to determine the system load and estimated system availability information. If the estimated available resources can accommodate the requested application, at an acceptable quality of service level, then the quality of service access module 380 would allow access to execute the application. The quality of service access module 380 may also provision and reserve the resources for the application, based on a policy decision.
  • the grid monitoring system 410 comprises monitoring agents 420 .
  • the grid monitoring system 410 may also comprise a grid monitoring agents log file 470 .
  • the grid monitoring agents 420 may comprise a plurality of modules such as: a session specific policy module 430 , a quality of service guarantees module 440 , an intrusion detection module 450 , an intrusion prevention module 460 , and/or the like.
  • Some of the agents 430 - 460 may be associated with a specific session, while others may be system wide agents that monitor all the sessions started through the grid interactive shell 490 .
  • the agents 430 - 460 may also log their information in log files 470 , as well as interface to the grid interactive shell 490 , other peer monitoring agents 485 , other monitoring systems (not shown) and/or the like, as needed.
  • the session specific policy module 430 monitors session specific parameters. Session specific policies may include specific policies such as usage time for the session, number of processes spawned during the session, number of socket connections opened during the session, disk quota usage for the session, central processing unit usage for the session, and/or the like.
  • the session specific policy module 430 may utilize the system policy files 495 to determine acceptable limits. The system policy files 495 may for example define the maximum usage limits of these parameters. In an optional feature of the present embodiment, if the session specific policy module 430 observes a violation of the defined session policies, an appropriate action may be taken as defined in the system policy files 495 .
  • the quality of service guarantees module 440 is responsible for monitoring and enforcing the quality of service guarantees for commands and/or applications.
  • the quality of service guarantees module 440 monitors parameters such as central processing unit utilization, network bandwidth available for each application, and/or the like.
  • the module 440 may also interface with the grid interactive shell quality of service module and respond to requests made thereby.
  • the intrusion detection module 450 monitors parameters such as internet protocol (IP) addresses of incoming connections, transmission control protocol (TCP) connection information, and/or the like.
  • IP internet protocol
  • TCP transmission control protocol
  • the intrusion detection module 450 may also interface with peer agents on other grid enabled machines. Interfacing with peer agents allows the agents to share intrusion detection information, thus forming a distributed intrusion detection system for grid environments.
  • the intrusion prevention module 460 monitors parameters such as IP addresses of outgoing connections and/or the like.
  • the intrusion prevention module 460 may selectively block connections to certain IP addresses as a precautionary measure to prevent possible intrusion and spreading of worms/viruses to other nodes.
  • the intrusion prevention module 460 serves to prevent intrusion from hacked or malicious binary code started by the grid user on the remote node.
  • the monitoring agents 420 may send a signal to the grid interactive shell 490 whereby an appropriate action is taken.
  • An exemplary default action may be to terminate all the processes started during the session and thereafter end the session.
  • system policy files may be classified into the following categories: session policy files, account policy files, application policy files, quality of service policy files, and/or the like.
  • the system policy files are controlled by a system administrator. Furthermore, each of the policy files may be customized for a given user of the system.
  • the session policy files contain policy information for each session. Exemplary policies are accounting and pricing policies, central processing and process usage policies, file system and disk quota usage policies.
  • the policy files may also specify the default action to be taken on a violation of these policies.
  • the account policy files may contain policy information associated with account pools. There may be separate policies for controlled normal users and controlled super users.
  • the operating system of a particular computing resource provides for normal users and super users.
  • the access of the normal user and super user are each restricted by applicable access control policy files, resulting in controlled normal users and controlled super users.
  • Exemplary policies may include a list of allowed executables and files for a given account pool that a controlled normal user or controlled super user may access on a given computing resource.
  • the application policy files contain policy information for applications that would be started by the grid environment. There may be two kinds of applications, installed applications and user specified binaries.
  • the quality of service policy files may contain information for quality of service metrics.
  • An exemplary quality of service metric for graphical sessions to remote nodes may comprise a minimum frame rate. Each acceptable frame rate requirement may translate to specific quality of service requirements for the application and the remote display server on the remote node.
  • the exemplary policy files include account policy files, a session policy file, and a quality of service policy file.
  • the exemplary account policy files include a list of disallowed executable and a list of disallowed files.
  • the exemplary session policy file includes a session max value and a default action.
  • the exemplary quality of service policy file includes an acceptable frame rate for various application classes.
  • FIGS. 7 A- 7 B a flow diagram of a process performed by an access control system, in accordance with one embodiment of the present invention, is shown.
  • the account management process begins with a user presenting credential to a middleware infrastructure, at step 703 .
  • the user's credentials are authenticated at step 706 .
  • Authentication may require that the end-user previously requests and obtains a grid certificate.
  • An authentication manager mutually authenticates the user with various computing resources in the grid.
  • the grid environment uses dynamic and/or template accounts to provide resource virtualization for the grid environment.
  • the scalability and manageability of the system is enhanced if grid users are not required to have personal user accounts on each computing resource that are a part of the grid. Instead, a system administrator adds the user once to a directory maintained by the virtual organization in which the user has obtained membership. For organizational account, an entry may be added once for the organization in the directory.
  • An organization account is an organization wide common account shared by all the member of the virtual organization.
  • an appropriate account pool for the user is determined, at step 709 .
  • Each pool is associated with a set of policy files, which are customized to the target users of the particular pool.
  • a dynamic account for the requested session is established for the authorized user. The selection of a pool and the binding of the user to an available dynamic account from that pool may be based on the grid credentials presented.
  • Any node that participates in a given virtual account will check the user's membership with the directory, and authorize the use as a dynamic account if the user does not have a static account.
  • the dynamic account is chosen from a pool of dynamic accounts maintained for the particular virtual organization. Each dynamic account is a full-fledged account created on the computing resource, but without a permanent real-world user associated with it. Unlike normal user accounts that belong permanently to their real-world owners, a dynamic account is bound to a user temporarily.
  • the access control system and the monitoring agents are invoked.
  • a window manager, terminal windows running the grid interactive shell, and other programs specified in the window manager's startup files are started as processes owned by the allocated dynamic account.
  • a virtual network connection (VNC) server is started or remote display server.
  • the grid monitoring system is also started simultaneously.
  • a web browser of the end-user receives an hypertext markup language (HTML) code containing a VNC applet code snippet for the VNC server.
  • HTML hypertext markup language
  • a VNC connection is established between the end-user's web browser and the remote node.
  • VNCviewer application may be utilized, if it is desired not to use the Java applet based approach.
  • the VNC viewer is preinstalled on the end-user's machine.
  • the user Upon a successful VNC authentication, the user is presented with a controlled KDE desktop environment containing only the applications and menus the user is allowed to access.
  • the KDE desktop environment is pre-configured by a system administrator for each pool of accounts. Other desktops like gnome could also be provided and customized.
  • the grid interactive shell may be implemented as an extension to the popular GNU bash shell for Linux.
  • the shell source code is modified so as to include the access control modules.
  • the grid interactive shell may be implemented as an extension of Cygwin open source bash shell.
  • the shell source code is modified to add in the access control modules.
  • the system policy files are implemented as text files stored in the Windows File system.
  • the access control modules read in the system policies from the files.
  • requests for executing a command and/or application submitted 751 by the user is parsed at step 712 .
  • the parsed requests are processed by the access control subsystem.
  • the access control subsystem may include an executables and files access control module 715 , which verifies that the requested command and/or application does not belong to a list of disallowed executables, is not invoked with a list of disallowed arguments and/or options, and does not access disallowed files and directories. If a request contains a user binary, a user binaries access control module 718 verifies the signature of user specified binaries.
  • a session access control model 721 verifies that the requested command and/or application does not violate session specific policies.
  • a quality of service access module 724 verifies that the requested command and/or application would not violate quality of service guarantees for itself and other running graphics jobs.
  • step 727 if the access control checks succeed, then the command and/or application is started by the grid interactive shell and the graphical output, if any, can be viewed through the remote graphical display.
  • monitoring may include checking session specific parameters, checking and enforcing the quality of service guarantees, and detecting and/or prevent intrusion.
  • Such monitoring agents 730 , 733 , 736 , 739 may be executed serially and/or in parallel with each other and the command or application being monitored. If the monitoring agents 730 , 733 , 736 , 739 detect a violation, an appropriate action may be taken as defined in a system policy file. Alternatively, the user may be notified of the failure and the session terminated 763 .
  • the dynamic account is freed at the termination time agreed upon for the session.
  • the grid monitoring agents may terminate the processes still running with the particular account as owner, and may delete all files owned by the account.
  • the dynamic account is then returned to the pool, at step 745 .
  • the grid monitoring agents may archive the files created by the user on a server maintained by the virtual organization. Subsequent sessions for this user would retrieve the files from the archive. The selection of a pool and the binding of the user to an available dynamic account from that pool are based on the grid credentials presented by a user.
  • Embodiments of the present invention may be practiced as an extension of existing grid middleware infrastructure. Embodiments of the present invention advantageously provide a comprehensive access control methodology for graphical interactive sessions.
  • the access control is in addition to those provided by the operating system.
  • the access control system is modular and rule based allowing for fine grained access control and easy extensibility.
  • the extensibility allows for adding and removing access control modules in the grid interactive shell, or monitoring agents in the grid monitoring system, as appropriate for a particular implementation.

Abstract

Embodiments of the present invention provide a method for grid computing access control and a system thereof. A command is received from a user. The authorization of the user to execute the command is verified. A system parameter is monitored during execution of the command.

Description

    FIELD OF THE INVENTION
  • Embodiments of the present invention relate to a grid computing environment, and more particularly to access control and account management of an interactive session. [0001]
    • BACKGROUND OF THE INVENTION
  • Grid computing is a method of harnessing the power of many computational resources in a network. Grid computing is a distributed computer infrastructure involving large-scale sharing, innovative applications and/or high performance processing and network bandwidth. [0002]
  • Referring to FIG. 1, a grid computing environment according to the conventional art is shown. As depicted in FIG. 1, the grid computing environment comprises a plurality of heterogeneous computing nodes distributed across multiple administrative domains. Multiple virtual organizations (e.g., VO X, VO Y, VO Z) exist over the heterogeneous nodes. A node (hereinafter also referred to as a computing resource) may be a part of several virtual organizations. An end-user (e.g., USER M, USER N, USER O) may need to access remote nodes either in the same [0003] administrative domain 105 or across domains 110, 115, and may desire interactive sessions with these nodes.
  • The interactivity may be either graphical or text-based. Exemplary interactive session may include, graphics visualization applications, engineering application like computer aided design or mechanical computer aided design (CAD/MCAD), digital content creation, streaming media, video games, text editing, command line interactions, e-mail applications, and the like. The end-user should also be able to view the graphical and multimedia output of the submitted jobs and application through such graphical interactive sessions. The interaction of the enduser with the remote node may also involve the execution of both installed applications and user specified binaries. [0004]
  • Traditionally, grid computing has provided for the execution of batch jobs in the scientific and academic community. Batch execution on a grid computing environment requires authentication, authorization, resource access, resource discovery, and other services. In support of batch processing of jobs on a grid computing environment, protocols, services, application programming interfaces, and software development kits have been developed. The conventional method and system are not particularly suited for interactive grid computing sessions. [0005]
  • Access control to remote nodes is challenging in a grid interactive environment. Malicious users might take advantage of the interactivity by identifying and exploiting potential security loopholes. For example, malicious users may be able to submit unauthorized jobs to the remote machine. Session and account management is also challenging in a grid interactive environment. Without access control during an interactive session, an end-user may be permitted unrestricted access time to the remote node. Furthermore, quality of service and/or other performance metrics are difficult to deliver in graphical interactive sessions. [0006]
  • A grid computing infrastructure that can hide the complexities of resource management from the user and that can provide secure graphical and multimedia interactive sessions would be an improvement over the conventional art. [0007]
    • SUMMARY OF THE INVENTION
  • Embodiments of the present invention provide a method for grid computing access control and a system thereof. In one embodiment, a command is received from a user. The authorization of the user to execute the command is verified. A system parameter is monitored during execution of the command. [0008]
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • The present invention is illustrated by way of example and not by way of limitation, in the figures of the accompanying drawings and in which like reference numerals refer to similar elements and in which: [0009]
  • Prior Art FIG. 1 shows a grid computing environment according to the conventional art. [0010]
  • FIG. 2 shows a block diagram of a system providing access control for graphical interactive sessions in a grid computing environment, in accordance with one embodiment of the present invention. [0011]
  • FIG. 3 shows a block diagram of a grid interactive shell, in accordance with one embodiment of the present invention. [0012]
  • FIG. 4 shows a block diagram of a grid monitoring system, in accordance with one embodiment of the present invention. [0013]
  • FIG. 5 shows a diagram of system policy file classifications, in accordance with one embodiment of the present invention. [0014]
  • FIG. 6 shows system policy files in accordance with an exemplary embodiment of the present invention. [0015]
  • FIGS. [0016] 7A-7B show a flow diagram of a process performed by an access control system, in accordance with one embodiment of the present invention.
    • DETAILED DESCRIPTION OF THE INVENTION
  • Reference will now be made in detail to the embodiments of the invention, examples of which are illustrated in the accompanying drawings. While the invention will be described in conjunction with these embodiments, it will be understood that they are not intended to limit the invention to these embodiments. On the contrary, the invention is intended to cover alternatives, modifications and equivalents, which may be included within the spirit and scope of the invention as defined by the appended claims. Furthermore, in the following detailed description of the present invention, numerous specific details are set forth in order to provide a thorough understanding of the present invention. However, it is understood that the present invention may be practiced without these specific details. In other instances, well-known methods, procedures, components, and circuits have not been described in detail as not to unnecessarily obscure aspects of the present invention. [0017]
  • Embodiments of the present invention provide an access control system supporting graphical interactive sessions on a grid computing environment. In one embodiment, the access control system comprises a grid interactive shell and a grid monitoring system. The grid interactive shell restricts access permission to execute requested applications and commands submitted interactively by an end-user. The grid interactive shell may also check system resources for provisioning quality of service guarantees before allowing an application to run. The grid monitoring agents monitor the system and session parameters so as to enforce the access control policies during a graphical interactive session. [0018]
  • In another embodiment, the grid computing control system comprises a grid interactive shell, for receiving a request to execute a command and/or application on a computing resource, a grid monitoring system, and a plurality of system policy files. The grid interactive shell is coupled to an operating system of the computing resource. The grid monitoring system is coupled to the interactive shell and the operating system of the computing resource. The plurality of system policy files are coupled to the grid interactive shell and the grid monitoring system. [0019]
  • In one embodiment, the grid interactive shell comprises a command interpreter, for parsing said command. An access control subsystem, for verifying a first plurality of system and session parameters, is also provided by the grid interactive shell. In one embodiment, the access control subsystem comprises one or more modules such as an executables and file access control module, a user binaries module, a session access control module, a quality of service access control module, and/or the like. [0020]
  • In one embodiment, the grid monitoring system comprises a plurality of monitoring agents, for monitoring a second plurality of system and session parameters. The grid monitoring system also includes a log file, for recording a plurality of system and session data. In one embodiment, the grid monitoring system comprises one or more modules such as a session specific policy module, a quality of service guarantees module, an intrusion detection module, an intrusion prevention module, and/or the like. [0021]
  • Referring now to FIG. 2, a block diagram of a [0022] system 200 providing access control for graphical interactive sessions in a grid computing environment, in accordance with one embodiment of the present invention, is shown. As depicted in FIG. 2, access control, between commands and/or applications 210 and an operating system kernel 220, is provided by a grid interactive shell 230, system policy files 240 and a grid monitoring system 250.
  • In the present embodiment, the [0023] access control system 200 provides end-users an interactive shell called the grid interactive shell 230. The grid interactive shell 230 restricts access permission to execute requested applications and commands submitted interactively by an end-user. The grid interactive shell 230 may also allow end-users to log onto a remote node. The grid interactive shell 230 may also check system resource for provisioning quality of service guarantees before allowing an application to run.
  • The [0024] grid monitoring system 250 provides for actively monitoring the system and session parameters so as to enforce session, application, and user policies during execution of user requested commands and/or applications. In an optional feature of the present embodiment, the grid monitoring system 250 also interfaces with the grid interactive shell 230, to provide relevant system and session information. The system and session information enables the grid interactive shell 230 to make access control decisions based on dynamic information gathered from the system.
  • The system policy files [0025] 240 are used by the grid interactive shell 230 and the grid monitoring system 250 to enforce the access control policies. The system policy files contain policy rules and data for each session and/or user.
  • Referring now to FIG. 3, a block diagram of a grid [0026] interactive shell 310, in accordance with one embodiment of the present invention, is shown. As depicted in FIG. 3, the grid interactive shell 310 comprises a command interpreter 320 and an access control subsystem 340. The grid interactive shell 310 is an extension to a command shell. The grid interactive shell 310 accepts commands for execution. The grid interactive shell 310 also accepts requests to execute applications that are already installed on the remote machine by a system administrator. The grid interactive shell 310 may also accept request to execute applications that are not already installed on the remote machine and are user specified binary files. A request to execute an application may be given in the form of a command.
  • During an interactive session, an end-user submits a request to start a command or [0027] application 305 to the grid interactive shell 310. The command 305 is first parsed by the command interpreter 320, and then passed onto the access control subsystem 340. The access control subsystem 340 performs various access control checks. If one or more access control checks fail, a failure message is returned back to the user and the request to start the application and/or command is denied. If the access control subsystem checks succeed, then the command and/or application is started by the grid interactive shell and the graphical output, if any, can be viewed through a remote graphical display.
  • The [0028] access control subsystem 340 may comprise a plurality of modules such as: an executables and files access control module 350, a user binaries access control module 360, a session access control module 370, a quality of service access control module 380, and/or the like. The executables and files access control module 350 verifies that the requested command and/or application does not belong to a list of disallowed executables, is not invoked with a list of disallowed arguments and/or options, and/or does not access disallowed files and directories. The executables and files access control module 350 may also attempt to determine the files and directories that would be accessed, and compares them with the list in the system policy file 385. In an optional feature of the present embodiment, verification may be enforced through the system policy file 385, which enumerates the list of disallowed executable, disallowed executable arguments, disallowed files, and/or disallowed directories for the user.
  • The user binaries [0029] access control module 360 is responsible for verifying a trusted signature for user specified binaries. A user binary is typically an application that the user wishes to load onto a grid resource. The module checks a user signature from an existing trusted service. Alternatively, if an existing trusted service is unavailable to the user, the present embodiment may provide a virtual machine environment for executing the user's binaries. The decision to allow a virtual machine environment may be controlled based on a system policy file 385 for the user.
  • The session [0030] access control model 370 verifies that the requested command and/or application does not violate session specific policies, such as usage time for the session, maximum number of processes and/or applications launched during the session, maximum number of socket connections allowed during the session, and/or maximum disk quota used during the session. In an optional feature of the present embodiment, the grid interactive shell 310 may be provided with the current usage values for these parameters by the grid monitoring system 390. In another optional feature of the present embodiment, the policy and actions to be taken on violation of the session policies may be specified in another system policy file 385.
  • The quality of [0031] service access module 380 verifies that the requested command and/or application would not violate quality of service guarantees for itself and/or other running jobs. The module verifies that system resources are available to meet quality of service guarantees for the requested command and/or application. If the requested application cannot be provided sufficient system resources, the quality of service access module 380 may deny access to execute the application and notify the user of the failure.
  • In an optional feature of the present embodiment, another [0032] system policy file 385 may be utilized to determine quality of service levels. A system policy file 385 may contain information about the acceptable quality of service guarantee levels for each application. Each such quality of service guarantee levels would translate to specific system resource requirements.
  • In another optional feature of the present embodiment, if an advance reservation is in place for the interactive session, the quality of [0033] service access module 380 may first verify if executing the requested command and/or application with the quality of service guarantee requirement level, will exceed the advanced reservation limits. If so, or if there is no advance reservation in place, the quality of service access control module can interface with the grid monitoring system 390 to determine the system load and estimated system availability information. If the estimated available resources can accommodate the requested application, at an acceptable quality of service level, then the quality of service access module 380 would allow access to execute the application. The quality of service access module 380 may also provision and reserve the resources for the application, based on a policy decision.
  • Referring now to FIG. 4, a block diagram of a [0034] grid monitoring system 410, in accordance with one embodiment of the present invention, is shown. As depicted in FIG. 4, the grid monitoring system 410 comprises monitoring agents 420. The grid monitoring system 410 may also comprise a grid monitoring agents log file 470. The grid monitoring agents 420 may comprise a plurality of modules such as: a session specific policy module 430, a quality of service guarantees module 440, an intrusion detection module 450, an intrusion prevention module 460, and/or the like. Some of the agents 430-460 may be associated with a specific session, while others may be system wide agents that monitor all the sessions started through the grid interactive shell 490. The agents 430-460 may also log their information in log files 470, as well as interface to the grid interactive shell 490, other peer monitoring agents 485, other monitoring systems (not shown) and/or the like, as needed.
  • The session [0035] specific policy module 430 monitors session specific parameters. Session specific policies may include specific policies such as usage time for the session, number of processes spawned during the session, number of socket connections opened during the session, disk quota usage for the session, central processing unit usage for the session, and/or the like. The session specific policy module 430 may utilize the system policy files 495 to determine acceptable limits. The system policy files 495 may for example define the maximum usage limits of these parameters. In an optional feature of the present embodiment, if the session specific policy module 430 observes a violation of the defined session policies, an appropriate action may be taken as defined in the system policy files 495.
  • The quality of [0036] service guarantees module 440 is responsible for monitoring and enforcing the quality of service guarantees for commands and/or applications. The quality of service guarantees module 440 monitors parameters such as central processing unit utilization, network bandwidth available for each application, and/or the like. In an optional feature of the present embodiment, the module 440 may also interface with the grid interactive shell quality of service module and respond to requests made thereby.
  • The [0037] intrusion detection module 450 monitors parameters such as internet protocol (IP) addresses of incoming connections, transmission control protocol (TCP) connection information, and/or the like. In an optional feature of the present embodiment, the intrusion detection module 450 may also interface with peer agents on other grid enabled machines. Interfacing with peer agents allows the agents to share intrusion detection information, thus forming a distributed intrusion detection system for grid environments.
  • The [0038] intrusion prevention module 460 monitors parameters such as IP addresses of outgoing connections and/or the like. The intrusion prevention module 460 may selectively block connections to certain IP addresses as a precautionary measure to prevent possible intrusion and spreading of worms/viruses to other nodes. Hence, the intrusion prevention module 460 serves to prevent intrusion from hacked or malicious binary code started by the grid user on the remote node.
  • Upon a violation of policies, the [0039] monitoring agents 420 may send a signal to the grid interactive shell 490 whereby an appropriate action is taken. An exemplary default action may be to terminate all the processes started during the session and thereafter end the session.
  • Referring now to FIG. 5, a diagram of system policy file classifications, in accordance with one embodiment of the present invention, is shown. As depicted in FIG. 5, the system policy files may be classified into the following categories: session policy files, account policy files, application policy files, quality of service policy files, and/or the like. [0040]
  • The system policy files are controlled by a system administrator. Furthermore, each of the policy files may be customized for a given user of the system. The session policy files contain policy information for each session. Exemplary policies are accounting and pricing policies, central processing and process usage policies, file system and disk quota usage policies. The policy files may also specify the default action to be taken on a violation of these policies. [0041]
  • The account policy files may contain policy information associated with account pools. There may be separate policies for controlled normal users and controlled super users. The operating system of a particular computing resource provides for normal users and super users. The access of the normal user and super user are each restricted by applicable access control policy files, resulting in controlled normal users and controlled super users. Exemplary policies may include a list of allowed executables and files for a given account pool that a controlled normal user or controlled super user may access on a given computing resource. [0042]
  • The application policy files contain policy information for applications that would be started by the grid environment. There may be two kinds of applications, installed applications and user specified binaries. [0043]
  • The quality of service policy files may contain information for quality of service metrics. An exemplary quality of service metric for graphical sessions to remote nodes may comprise a minimum frame rate. Each acceptable frame rate requirement may translate to specific quality of service requirements for the application and the remote display server on the remote node. [0044]
  • Referring now to FIG. 6, system policy files in accordance with an exemplary embodiment of the present invention is shown. As depicted in FIG. 6, the exemplary policy files include account policy files, a session policy file, and a quality of service policy file. The exemplary account policy files include a list of disallowed executable and a list of disallowed files. The exemplary session policy file includes a session max value and a default action. The exemplary quality of service policy file includes an acceptable frame rate for various application classes. [0045]
  • Referring now to FIGS. [0046] 7A-7B, a flow diagram of a process performed by an access control system, in accordance with one embodiment of the present invention, is shown. As depicted in FIGS. 7A-7B, the account management process begins with a user presenting credential to a middleware infrastructure, at step 703. The user's credentials are authenticated at step 706. Authentication may require that the end-user previously requests and obtains a grid certificate. An authentication manager mutually authenticates the user with various computing resources in the grid.
  • The grid environment uses dynamic and/or template accounts to provide resource virtualization for the grid environment. The scalability and manageability of the system is enhanced if grid users are not required to have personal user accounts on each computing resource that are a part of the grid. Instead, a system administrator adds the user once to a directory maintained by the virtual organization in which the user has obtained membership. For organizational account, an entry may be added once for the organization in the directory. An organization account is an organization wide common account shared by all the member of the virtual organization. [0047]
  • Upon a successful authentication, an appropriate account pool for the user is determined, at [0048] step 709. Each pool is associated with a set of policy files, which are customized to the target users of the particular pool. As a result, a dynamic account for the requested session is established for the authorized user. The selection of a pool and the binding of the user to an available dynamic account from that pool may be based on the grid credentials presented.
  • Any node that participates in a given virtual account will check the user's membership with the directory, and authorize the use as a dynamic account if the user does not have a static account. The dynamic account is chosen from a pool of dynamic accounts maintained for the particular virtual organization. Each dynamic account is a full-fledged account created on the computing resource, but without a permanent real-world user associated with it. Unlike normal user accounts that belong permanently to their real-world owners, a dynamic account is bound to a user temporarily. [0049]
  • After the successful selection and binding of user to a dynamic account, the access control system and the monitoring agents are invoked. A window manager, terminal windows running the grid interactive shell, and other programs specified in the window manager's startup files are started as processes owned by the allocated dynamic account. [0050]
  • In a Linux implementation, a virtual network connection (VNC) server is started or remote display server. The grid monitoring system is also started simultaneously. A web browser of the end-user receives an hypertext markup language (HTML) code containing a VNC applet code snippet for the VNC server. Upon execution of the applet, a VNC connection is established between the end-user's web browser and the remote node. Alternatively, VNCviewer application may be utilized, if it is desired not to use the Java applet based approach. The VNC viewer is preinstalled on the end-user's machine. Upon a successful VNC authentication, the user is presented with a controlled KDE desktop environment containing only the applications and menus the user is allowed to access. The KDE desktop environment is pre-configured by a system administrator for each pool of accounts. Other desktops like gnome could also be provided and customized. [0051]
  • In a Linux implementation, the grid interactive shell may be implemented as an extension to the popular GNU bash shell for Linux. The shell source code is modified so as to include the access control modules. In a Windows implementation, the grid interactive shell may be implemented as an extension of Cygwin open source bash shell. The shell source code is modified to add in the access control modules. The system policy files are implemented as text files stored in the Windows File system. The access control modules read in the system policies from the files. [0052]
  • Upon establishment of a dynamic account for the session, requests for executing a command and/or application submitted [0053] 751 by the user is parsed at step 712. The parsed requests are processed by the access control subsystem. The access control subsystem may include an executables and files access control module 715, which verifies that the requested command and/or application does not belong to a list of disallowed executables, is not invoked with a list of disallowed arguments and/or options, and does not access disallowed files and directories. If a request contains a user binary, a user binaries access control module 718 verifies the signature of user specified binaries. A session access control model 721 verifies that the requested command and/or application does not violate session specific policies. A quality of service access module 724 verifies that the requested command and/or application would not violate quality of service guarantees for itself and other running graphics jobs.
  • If the respective conditions are successfully verified, the process continues with the next step. If the condition is not verified, the user may be notified of the failure and the session terminated ([0054] 754, 763).
  • At [0055] step 727, if the access control checks succeed, then the command and/or application is started by the grid interactive shell and the graphical output, if any, can be viewed through the remote graphical display.
  • At [0056] steps 730, 733, 736, 739, the execution of the requested command and/or application is monitored. Monitoring may include checking session specific parameters, checking and enforcing the quality of service guarantees, and detecting and/or prevent intrusion. Such monitoring agents 730, 733, 736, 739, may be executed serially and/or in parallel with each other and the command or application being monitored. If the monitoring agents 730, 733, 736, 739 detect a violation, an appropriate action may be taken as defined in a system policy file. Alternatively, the user may be notified of the failure and the session terminated 763.
  • At [0057] step 742, the dynamic account is freed at the termination time agreed upon for the session. After the termination time, the grid monitoring agents may terminate the processes still running with the particular account as owner, and may delete all files owned by the account. The dynamic account is then returned to the pool, at step 745. Alternatively, the grid monitoring agents may archive the files created by the user on a server maintained by the virtual organization. Subsequent sessions for this user would retrieve the files from the archive. The selection of a pool and the binding of the user to an available dynamic account from that pool are based on the grid credentials presented by a user.
  • Embodiments of the present invention may be practiced as an extension of existing grid middleware infrastructure. Embodiments of the present invention advantageously provide a comprehensive access control methodology for graphical interactive sessions. The access control is in addition to those provided by the operating system. The access control system is modular and rule based allowing for fine grained access control and easy extensibility. The extensibility allows for adding and removing access control modules in the grid interactive shell, or monitoring agents in the grid monitoring system, as appropriate for a particular implementation. [0058]
  • The foregoing descriptions of specific embodiments of the present invention have been presented for purposes of illustration and description. They are not intended to be exhaustive or to limit the invention to the precise forms disclosed, and obviously many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the invention and its practical application, to thereby enable others skilled in the art to best utilize the invention and various embodiments with various modifications as are suited to the particular use contemplated. It is intended that the scope of the invention be defined by the Claims appended hereto and their equivalents. [0059]

Claims (20)

What is claimed is:
1. A grid computing access control method comprising:
receiving a command from a user;
verifying an authorization of said user to execute said command; and
monitoring a system parameter during execution of said command.
2. The method according to claim 1, further comprising monitoring a session parameter during execution of said command.
3. The method according to claim 1, further comprising:
receiving a request to execute an application from a user;
verifying said authorization of said user to execute said application; and
monitoring said system parameter during execution of said application.
4. The method according to claim 3, further comprising monitoring a session parameter during execution of said application.
5. The method according to claim 1, further comprising enforcing one or more policies selected from the group comprising a session policy, an application policy, and a user policy.
6. The method according to claim 1, further comprising verifying availability of a system resource prior to allowing said user to execute said application.
7. The method according to claim 1, further comprising authentication of said user.
8. The method according to claim 1, further comprising establishing a session for execution of said application.
9. The method according to claim 8, wherein establishing said session comprises binding a dynamic account to a set of policy files.
10. The method according to claim 9, wherein said set of policy files is configurable according to said user and said session.
11. The method according to claim 1, further comprising terminating said session when a violation of one of the following conditions occurs, said authentication, said authorization, said system parameter, and said session parameter.
12. A grid computing control system comprising:
a grid interactive shell, for receiving a command for execution on a computing resource, wherein said grid interactive shell is coupled to an operating system of a computing resource;
a grid monitoring system coupled to said interactive shell and said operating system of said computing resource;
a plurality of system policy files coupled to said grid interactive shell and said grid monitoring system.
13. The grid computing control system according to claim 12, wherein said grid interactive shell further receives request to execute an application on said computing resource.
14. The grid computing control system according to claim 12, wherein said grid interactive shell comprises:
a command interpreter, for parsing said command; and
an access control subsystem, for verifying a first plurality of system and session parameters.
15. The grid computing control system according to claim 12, wherein said access control subsystem comprises one or more modules selected from the group consisting of an executables and files access control module, a user binaries module, a session access control module, and a quality of service access control module.
16. The grid computing control system according to claim 12, wherein said grid monitoring system comprises:
a plurality of monitoring agents, for monitoring a second plurality of system and session parameters; and
a log file, for recording a plurality of system and session data.
17. The grid computing control system according to claim 12, wherein said plurality of monitoring agents comprises one or more modules selected from the group consisting of a session specific policy module, a quality of service guarantees module, an intrusion detection module, and an intrusion prevention module.
18. A computer readable-medium comprising a plurality of instructions which when executed cause a grid computing resource to execute a resource management process comprising:
verifying a requested command is an allowable executable;
verifying said requested command includes an allowed argument;
verifying said requested command conforms to a session specific policy;
verifying said requested command conforms to a quality of service guarantee;
monitoring compliance with said session specific policy during execution of said requested command; and
monitoring compliance with said quality of service guarantee during execution of said requested command.
19. The process according to claim 18, further comprising:
monitoring to detect an intrusion during execution of said requested command; and
monitoring to prevent said intrusion during execution of said requested command.
20. The process according to claim 19, further comprising verifying said requested command includes a trusted signature, wherein said requested command comprises a user specified binary.
US10/340,436 2003-01-10 2003-01-10 Grid computing control system Expired - Fee Related US7421500B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US10/340,436 US7421500B2 (en) 2003-01-10 2003-01-10 Grid computing control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
US10/340,436 US7421500B2 (en) 2003-01-10 2003-01-10 Grid computing control system

Publications (2)

Publication Number Publication Date
US20040139202A1 true US20040139202A1 (en) 2004-07-15
US7421500B2 US7421500B2 (en) 2008-09-02

Family

ID=32711329

Family Applications (1)

Application Number Title Priority Date Filing Date
US10/340,436 Expired - Fee Related US7421500B2 (en) 2003-01-10 2003-01-10 Grid computing control system

Country Status (1)

Country Link
US (1) US7421500B2 (en)

Cited By (55)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040177249A1 (en) * 2003-03-06 2004-09-09 International Business Machines Corporation, Armonk, New York Method and apparatus for authorizing execution for applications in a data processing system
US20040181469A1 (en) * 2003-03-10 2004-09-16 Yuji Saeki Accounting management method for grid computing system
US20040243915A1 (en) * 2003-05-15 2004-12-02 International Business Machines Corporation Autonomic failover of grid-based services
US20050021956A1 (en) * 2003-07-01 2005-01-27 International Business Machines Corporation Method and system for a single-sign-on operation providing grid access and network access
US20050065994A1 (en) * 2003-09-19 2005-03-24 International Business Machines Corporation Framework for restricting resources consumed by ghost agents
US20050066309A1 (en) * 2003-09-19 2005-03-24 International Business Machines Corporation Validating software in a grid environment using ghost agents
US20050065766A1 (en) * 2003-09-19 2005-03-24 International Business Machines Corporation Testing applications within a grid environment using ghost agents
US20050073864A1 (en) * 2003-09-19 2005-04-07 International Business Machines Corporation Ghost agents within a grid environment
US20050138175A1 (en) * 2003-06-20 2005-06-23 Rajendra Kumar Method and system using admission control in interactive grid computing systems
US20050192937A1 (en) * 2004-02-26 2005-09-01 International Business Machines Corporation Dynamic query optimization
US20050198636A1 (en) * 2004-02-26 2005-09-08 International Business Machines Corporation Dynamic optimization of batch processing
US20060075462A1 (en) * 2004-10-01 2006-04-06 Microsoft Corporation Access authorization having embedded policies
US20060075464A1 (en) * 2004-10-01 2006-04-06 Microsoft Corporation Access authorization API
US20060224741A1 (en) * 2005-03-16 2006-10-05 Jackson David B Automatic workload transfer to an on-demand center
US20060248015A1 (en) * 2005-04-28 2006-11-02 International Business Machines Corporation Adjusting billing rates based on resource use
US20060288251A1 (en) * 2005-06-17 2006-12-21 Cluster Resources, Inc. System and method for providing dynamic roll-back reservations in time
US20070016668A1 (en) * 2005-07-14 2007-01-18 International Business Machines Corporation Method and system for application profiling for purposes of defining resource requirements
US20070022425A1 (en) * 2004-03-13 2007-01-25 Jackson David B System and method for providing advanced reservations in a compute environment
US20070094665A1 (en) * 2004-03-13 2007-04-26 Cluster Resources, Inc. System and method of co-allocating a reservation spanning different compute resources types
WO2007090866A1 (en) * 2006-02-09 2007-08-16 Thales Holdings Uk Plc Collaborative access control in a computer network
US20070300297A1 (en) * 2006-06-23 2007-12-27 Dawson Christopher J System and Method for Tracking the Security Enforcement in a Grid System
US20080028075A1 (en) * 2006-07-28 2008-01-31 Petre Dini Method and system to generate execution-based scheduling signature for an application
US20080071804A1 (en) * 2006-09-15 2008-03-20 International Business Machines Corporation File system access control between multiple clusters
US20080134297A1 (en) * 2006-11-30 2008-06-05 Microsoft Corporation Advanced content authentication and authorization
US7475419B1 (en) * 2003-09-19 2009-01-06 Hewlett-Packard Development Company, L.P. System and method for controlling access in an interactive grid environment
US20090012930A1 (en) * 2004-03-13 2009-01-08 Cluster Resources, Inc. System and method for a self-optimizing reservation in time of compute resources
US20090043888A1 (en) * 2004-03-13 2009-02-12 Cluster Resources, Inc. System and method of providing reservation masks within a compute environment
CN100466657C (en) * 2005-12-06 2009-03-04 南京邮电大学 Access control decision-making device for grid computing environment
US20100281173A1 (en) * 2009-05-01 2010-11-04 Microsoft Corporation Delegated administration for remote management
US20100306394A1 (en) * 2009-05-29 2010-12-02 At&T Intellectual Property I, L.P. Systems and Methods to Make a Resource Available Via A Local Network
US20110294490A1 (en) * 2010-05-28 2011-12-01 Robert Bosch Gmbh Remote control of a telephone
US20120066760A1 (en) * 2010-09-10 2012-03-15 International Business Machines Corporation Access control in a virtual system
US20120089650A1 (en) * 2010-10-08 2012-04-12 Spectra Logic Corporation System and method for a storage system
US8209695B1 (en) * 2006-07-28 2012-06-26 Hewlett-Packard Development Company, L.P. Reserving resources in a resource-on-demand system for user desktop utility demand
US20120180039A1 (en) * 2011-01-11 2012-07-12 International Business Machines Corporation Automated Deployment of Applications with Tenant-Isolation Requirements
US8321871B1 (en) 2004-06-18 2012-11-27 Adaptive Computing Enterprises, Inc. System and method of using transaction IDS for managing reservations of compute resources within a compute environment
US8464266B2 (en) 2005-03-11 2013-06-11 Adaptive Computer Enterprises, Inc. System and method for enforcing future policies in a compute environment
US8595642B1 (en) * 2007-10-04 2013-11-26 Great Northern Research, LLC Multiple shell multi faceted graphical user interface
US8639824B1 (en) * 2003-09-19 2014-01-28 Hewlett-Packard Development Company, L.P. System and method for dynamic account management in a grid computing system
US8819632B2 (en) 2010-07-09 2014-08-26 Salesforce.Com, Inc. Techniques for distributing information in a computer network related to a software anomaly
US8954584B1 (en) * 2004-08-18 2015-02-10 Oracle America, Inc. Policy engine for automating management of scalable distributed persistent applications in a grid
US9015324B2 (en) 2005-03-16 2015-04-21 Adaptive Computing Enterprises, Inc. System and method of brokering cloud computing resources
US9231886B2 (en) 2005-03-16 2016-01-05 Adaptive Computing Enterprises, Inc. Simple integration of an on-demand compute environment
US9825963B2 (en) * 2015-08-03 2017-11-21 Bank Of America Corporation Encapsulating commands within a control wrapper for multiple level review
US9838393B2 (en) 2015-08-03 2017-12-05 Bank Of America Corporation Encapsulating commands within a control wrapper for split entry or approval
US10277531B2 (en) 2005-04-07 2019-04-30 Iii Holdings 2, Llc On-demand access to compute resources
US10733028B2 (en) 2004-03-13 2020-08-04 Iii Holdings 12, Llc Co-allocating a reservation spanning different compute resources types
US10977090B2 (en) 2006-03-16 2021-04-13 Iii Holdings 12, Llc System and method for managing a hybrid compute environment
US11050844B2 (en) * 2016-03-30 2021-06-29 Amazon Technologies, Inc. User controlled hardware validation
US11494235B2 (en) 2004-11-08 2022-11-08 Iii Holdings 12, Llc System and method of providing system jobs within a compute environment
US11522952B2 (en) 2007-09-24 2022-12-06 The Research Foundation For The State University Of New York Automatic clustering for self-organizing grids
US11526304B2 (en) 2009-10-30 2022-12-13 Iii Holdings 2, Llc Memcached server functionality in a cluster of data processing nodes
US11630704B2 (en) 2004-08-20 2023-04-18 Iii Holdings 12, Llc System and method for a workload management and scheduling module to manage access to a compute environment according to local and non-local user identity information
US11720290B2 (en) 2009-10-30 2023-08-08 Iii Holdings 2, Llc Memcached server functionality in a cluster of data processing nodes
US11960937B2 (en) 2022-03-17 2024-04-16 Iii Holdings 12, Llc System and method for an optimizing reservation in time of compute resources based on prioritization function and reservation policy parameter

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8788673B2 (en) * 2004-09-13 2014-07-22 Microsoft Corporation Systems and methods for providing security through sessions
WO2006095506A1 (en) * 2005-02-10 2006-09-14 Nec Corporation Information system management device
US20070028247A1 (en) * 2005-07-14 2007-02-01 International Business Machines Corporation Method and apparatus for GRID enabling standard applications
US20070294404A1 (en) * 2006-06-15 2007-12-20 International Business Machines Corporation Method and system for authorization and access control delegation in an on demand grid environment
US20090254998A1 (en) * 2008-04-07 2009-10-08 Plura Processing, Lp Web-browser based grid computing system
US8863278B2 (en) * 2008-05-28 2014-10-14 International Business Machines Corporation Grid security intrusion detection configuration mechanism
US20100191725A1 (en) * 2009-01-23 2010-07-29 Mehmet Kivanc Ozonat A system and method for discovering providers
US20100191724A1 (en) * 2009-01-23 2010-07-29 Mehmet Kivanc Ozonat Method and system to identify providers in web documents
CN102468971A (en) * 2010-11-04 2012-05-23 北京北方微电子基地设备工艺研究中心有限责任公司 Authority management method and device, and authority control method and device
DE102014219472A1 (en) * 2014-09-25 2016-03-31 Siemens Aktiengesellschaft Method for transmitting data, network nodes and network
US9890288B2 (en) 2015-12-08 2018-02-13 U.S. Silica Company Solar reflective particulates
US10253493B2 (en) 2016-08-29 2019-04-09 U.S. Silica Company Particulates having high total solar reflectance

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6158010A (en) * 1998-10-28 2000-12-05 Crosslogix, Inc. System and method for maintaining security in a distributed computer network
US6205466B1 (en) * 1998-07-17 2001-03-20 Hewlett-Packard Company Infrastructure for an open digital services marketplace
US20020143923A1 (en) * 2001-04-03 2002-10-03 Vigilos, Inc. System and method for managing a device network
US6678828B1 (en) * 2002-07-22 2004-01-13 Vormetric, Inc. Secure network file access control system
US20040044718A1 (en) * 2002-08-28 2004-03-04 Ferstl Friedrich F.X. Submitting jobs in a distributed computing environment
US20040128374A1 (en) * 2002-12-30 2004-07-01 Hodges Donna K. Systems and methods for the detection and management of network assets
US20050166041A1 (en) * 2004-01-23 2005-07-28 Gridlron Software, Inc. Authentication in a distributed computing environment
US20060294238A1 (en) * 2002-12-16 2006-12-28 Naik Vijay K Policy-based hierarchical management of shared resources in a grid environment

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6205466B1 (en) * 1998-07-17 2001-03-20 Hewlett-Packard Company Infrastructure for an open digital services marketplace
US6158010A (en) * 1998-10-28 2000-12-05 Crosslogix, Inc. System and method for maintaining security in a distributed computer network
US20020143923A1 (en) * 2001-04-03 2002-10-03 Vigilos, Inc. System and method for managing a device network
US6678828B1 (en) * 2002-07-22 2004-01-13 Vormetric, Inc. Secure network file access control system
US20040044718A1 (en) * 2002-08-28 2004-03-04 Ferstl Friedrich F.X. Submitting jobs in a distributed computing environment
US20060294238A1 (en) * 2002-12-16 2006-12-28 Naik Vijay K Policy-based hierarchical management of shared resources in a grid environment
US20040128374A1 (en) * 2002-12-30 2004-07-01 Hodges Donna K. Systems and methods for the detection and management of network assets
US20050166041A1 (en) * 2004-01-23 2005-07-28 Gridlron Software, Inc. Authentication in a distributed computing environment

Cited By (138)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20040177249A1 (en) * 2003-03-06 2004-09-09 International Business Machines Corporation, Armonk, New York Method and apparatus for authorizing execution for applications in a data processing system
US7308578B2 (en) * 2003-03-06 2007-12-11 International Business Machines Corporation Method and apparatus for authorizing execution for applications in a data processing system
US20040181469A1 (en) * 2003-03-10 2004-09-16 Yuji Saeki Accounting management method for grid computing system
US20040243915A1 (en) * 2003-05-15 2004-12-02 International Business Machines Corporation Autonomic failover of grid-based services
US7287179B2 (en) * 2003-05-15 2007-10-23 International Business Machines Corporation Autonomic failover of grid-based services
US20050138175A1 (en) * 2003-06-20 2005-06-23 Rajendra Kumar Method and system using admission control in interactive grid computing systems
US8935401B2 (en) * 2003-06-20 2015-01-13 Hewlett-Packard Development Company, L.P. Method and system using admission control in interactive grid computing systems
US20050021956A1 (en) * 2003-07-01 2005-01-27 International Business Machines Corporation Method and system for a single-sign-on operation providing grid access and network access
US7496755B2 (en) * 2003-07-01 2009-02-24 International Business Machines Corporation Method and system for a single-sign-on operation providing grid access and network access
US20090113533A1 (en) * 2003-07-01 2009-04-30 International Business Machines Corporation Method and System for a Single-Sign-On Operation Providing Grid Access and Network Access
US7752443B2 (en) 2003-07-01 2010-07-06 International Business Machines Corporation Method and system for a single-sign-on operation providing grid access and network access
US20050073864A1 (en) * 2003-09-19 2005-04-07 International Business Machines Corporation Ghost agents within a grid environment
US20090112565A1 (en) * 2003-09-19 2009-04-30 International Business Machines Corporation Testing applications within a grid environment using ghost agents
US8639824B1 (en) * 2003-09-19 2014-01-28 Hewlett-Packard Development Company, L.P. System and method for dynamic account management in a grid computing system
US8219671B2 (en) 2003-09-19 2012-07-10 International Business Machines Corporation Testing applications within a grid environment using ghost agents
US8145751B2 (en) 2003-09-19 2012-03-27 International Business Machines Corporation Validating software in a grid environment using ghost agents
US7472184B2 (en) * 2003-09-19 2008-12-30 International Business Machines Corporation Framework for restricting resources consumed by ghost agents
US7882398B2 (en) * 2003-09-19 2011-02-01 International Business Machines Corporation Ghost agents within a grid environment
US7493386B2 (en) * 2003-09-19 2009-02-17 International Business Machines Corporation Testing applications within a grid environment using ghost agents
US20090119544A1 (en) * 2003-09-19 2009-05-07 International Business Machines Corporation Ghost agents within a grid environment
US20090113395A1 (en) * 2003-09-19 2009-04-30 International Business Machines Corporation Validating software in a grid environment using ghost agents
US7475419B1 (en) * 2003-09-19 2009-01-06 Hewlett-Packard Development Company, L.P. System and method for controlling access in an interactive grid environment
US20050065766A1 (en) * 2003-09-19 2005-03-24 International Business Machines Corporation Testing applications within a grid environment using ghost agents
US20050066309A1 (en) * 2003-09-19 2005-03-24 International Business Machines Corporation Validating software in a grid environment using ghost agents
US7493387B2 (en) * 2003-09-19 2009-02-17 International Business Machines Corporation Validating software in a grid environment using ghost agents
US7337363B2 (en) * 2003-09-19 2008-02-26 International Business Machines Corporation Ghost agents within a grid environment
US20050065994A1 (en) * 2003-09-19 2005-03-24 International Business Machines Corporation Framework for restricting resources consumed by ghost agents
US20080052720A1 (en) * 2004-02-26 2008-02-28 International Business Machines Corporation Dynamic Query Optimization
US20050198636A1 (en) * 2004-02-26 2005-09-08 International Business Machines Corporation Dynamic optimization of batch processing
US20050192937A1 (en) * 2004-02-26 2005-09-01 International Business Machines Corporation Dynamic query optimization
US8122010B2 (en) 2004-02-26 2012-02-21 International Business Machines Corporation Dynamic query optimization
US9959141B2 (en) 2004-03-13 2018-05-01 Iii Holdings 12, Llc System and method of providing a self-optimizing reservation in space of compute resources
US10871999B2 (en) 2004-03-13 2020-12-22 Iii Holdings 12, Llc System and method for a self-optimizing reservation in time of compute resources
US20090043888A1 (en) * 2004-03-13 2009-02-12 Cluster Resources, Inc. System and method of providing reservation masks within a compute environment
US9128767B2 (en) 2004-03-13 2015-09-08 Adaptive Computing Enterprises, Inc. Canceling and locking personal reservation if the workload associated with personal reservation exceeds window of time allocated within a resource reservation
US9176785B2 (en) 2004-03-13 2015-11-03 Adaptive Computing Enterprises, Inc. System and method for providing multi-resource management support in a compute environment
US9268607B2 (en) 2004-03-13 2016-02-23 Adaptive Computing Enterprises, Inc. System and method of providing a self-optimizing reservation in space of compute resources
US8763000B2 (en) 2004-03-13 2014-06-24 Adaptive Computing Enterprises, Inc. System and method for providing intelligent pre-staging of data in a compute environment
US9558042B2 (en) 2004-03-13 2017-01-31 Iii Holdings 12, Llc System and method providing object messages in a compute environment
US9886322B2 (en) 2004-03-13 2018-02-06 Iii Holdings 12, Llc System and method for providing advanced reservations in a compute environment
US20070220152A1 (en) * 2004-03-13 2007-09-20 Jackson David B System and method for providing advanced reservations in a compute environment
US8418186B2 (en) 2004-03-13 2013-04-09 Adaptive Computing Enterprises, Inc. System and method of co-allocating a reservation spanning different compute resources types
US20090144215A1 (en) * 2004-03-13 2009-06-04 Cluster Resources, Inc. System and method for providing intelligent pre-staging of data in a compute environment
US20090187536A1 (en) * 2004-03-13 2009-07-23 Cluster Resources, Inc. System and Method Providing Object Messages in a Compute Environment
US7620706B2 (en) * 2004-03-13 2009-11-17 Adaptive Computing Enterprises Inc. System and method for providing advanced reservations in a compute environment
US20100023949A1 (en) * 2004-03-13 2010-01-28 Cluster Resources, Inc. System and method for providing advanced reservations in a compute environment
US8413155B2 (en) 2004-03-13 2013-04-02 Adaptive Computing Enterprises, Inc. System and method for a self-optimizing reservation in time of compute resources
US7725583B2 (en) * 2004-03-13 2010-05-25 Adaptive Computing Enterprises, Inc. System and method for providing advanced reservations in a compute environment
US20070094665A1 (en) * 2004-03-13 2007-04-26 Cluster Resources, Inc. System and method of co-allocating a reservation spanning different compute resources types
US9959140B2 (en) 2004-03-13 2018-05-01 Iii Holdings 12, Llc System and method of co-allocating a reservation spanning different compute resources types
US10733028B2 (en) 2004-03-13 2020-08-04 Iii Holdings 12, Llc Co-allocating a reservation spanning different compute resources types
US8150972B2 (en) 2004-03-13 2012-04-03 Adaptive Computing Enterprises, Inc. System and method of providing reservation masks within a compute environment
US20070022425A1 (en) * 2004-03-13 2007-01-25 Jackson David B System and method for providing advanced reservations in a compute environment
US7890629B2 (en) * 2004-03-13 2011-02-15 Adaptive Computing Enterprises, Inc. System and method of providing reservation masks within a compute environment
US20090012930A1 (en) * 2004-03-13 2009-01-08 Cluster Resources, Inc. System and method for a self-optimizing reservation in time of compute resources
US7971204B2 (en) 2004-03-13 2011-06-28 Adaptive Computing Enterprises, Inc. System and method of co-allocating a reservation spanning different compute resources types
US11467883B2 (en) 2004-03-13 2022-10-11 Iii Holdings 12, Llc Co-allocating a reservation spanning different compute resources types
US8321871B1 (en) 2004-06-18 2012-11-27 Adaptive Computing Enterprises, Inc. System and method of using transaction IDS for managing reservations of compute resources within a compute environment
US8984524B2 (en) 2004-06-18 2015-03-17 Adaptive Computing Enterprises, Inc. System and method of using transaction IDS for managing reservations of compute resources within a compute environment
US11652706B2 (en) 2004-06-18 2023-05-16 Iii Holdings 12, Llc System and method for providing dynamic provisioning within a compute environment
US8954584B1 (en) * 2004-08-18 2015-02-10 Oracle America, Inc. Policy engine for automating management of scalable distributed persistent applications in a grid
US11630704B2 (en) 2004-08-20 2023-04-18 Iii Holdings 12, Llc System and method for a workload management and scheduling module to manage access to a compute environment according to local and non-local user identity information
US8453200B2 (en) 2004-10-01 2013-05-28 Microsoft Corporation Access authorization having embedded policies
US20110126260A1 (en) * 2004-10-01 2011-05-26 Microsoft Corporation Access authorization having embedded policies
US8181219B2 (en) 2004-10-01 2012-05-15 Microsoft Corporation Access authorization having embedded policies
US8931035B2 (en) 2004-10-01 2015-01-06 Microsoft Corporation Access authorization having embedded policies
US20060075464A1 (en) * 2004-10-01 2006-04-06 Microsoft Corporation Access authorization API
US7818781B2 (en) * 2004-10-01 2010-10-19 Microsoft Corporation Behavior blocking access control
US20060075462A1 (en) * 2004-10-01 2006-04-06 Microsoft Corporation Access authorization having embedded policies
US9069941B2 (en) 2004-10-01 2015-06-30 Microsoft Technology Licensing, Llc Access authorization having embedded policies
US11537434B2 (en) 2004-11-08 2022-12-27 Iii Holdings 12, Llc System and method of providing system jobs within a compute environment
US11537435B2 (en) 2004-11-08 2022-12-27 Iii Holdings 12, Llc System and method of providing system jobs within a compute environment
US11762694B2 (en) 2004-11-08 2023-09-19 Iii Holdings 12, Llc System and method of providing system jobs within a compute environment
US11886915B2 (en) 2004-11-08 2024-01-30 Iii Holdings 12, Llc System and method of providing system jobs within a compute environment
US11656907B2 (en) 2004-11-08 2023-05-23 Iii Holdings 12, Llc System and method of providing system jobs within a compute environment
US11494235B2 (en) 2004-11-08 2022-11-08 Iii Holdings 12, Llc System and method of providing system jobs within a compute environment
US11861404B2 (en) 2004-11-08 2024-01-02 Iii Holdings 12, Llc System and method of providing system jobs within a compute environment
US11709709B2 (en) 2004-11-08 2023-07-25 Iii Holdings 12, Llc System and method of providing system jobs within a compute environment
US8464266B2 (en) 2005-03-11 2013-06-11 Adaptive Computer Enterprises, Inc. System and method for enforcing future policies in a compute environment
US9298514B2 (en) 2005-03-11 2016-03-29 Adaptive Computing Enterprises, Inc. System and method for enforcing future policies in a compute environment
US10608949B2 (en) 2005-03-16 2020-03-31 Iii Holdings 12, Llc Simple integration of an on-demand compute environment
US9231886B2 (en) 2005-03-16 2016-01-05 Adaptive Computing Enterprises, Inc. Simple integration of an on-demand compute environment
US20060224741A1 (en) * 2005-03-16 2006-10-05 Jackson David B Automatic workload transfer to an on-demand center
US9413687B2 (en) * 2005-03-16 2016-08-09 Adaptive Computing Enterprises, Inc. Automatic workload transfer to an on-demand center
US11658916B2 (en) 2005-03-16 2023-05-23 Iii Holdings 12, Llc Simple integration of an on-demand compute environment
US10333862B2 (en) 2005-03-16 2019-06-25 Iii Holdings 12, Llc Reserving resources in an on-demand compute environment
US11134022B2 (en) 2005-03-16 2021-09-28 Iii Holdings 12, Llc Simple integration of an on-demand compute environment
US11356385B2 (en) 2005-03-16 2022-06-07 Iii Holdings 12, Llc On-demand compute environment
US9015324B2 (en) 2005-03-16 2015-04-21 Adaptive Computing Enterprises, Inc. System and method of brokering cloud computing resources
US10986037B2 (en) 2005-04-07 2021-04-20 Iii Holdings 12, Llc On-demand access to compute resources
US10277531B2 (en) 2005-04-07 2019-04-30 Iii Holdings 2, Llc On-demand access to compute resources
US11496415B2 (en) 2005-04-07 2022-11-08 Iii Holdings 12, Llc On-demand access to compute resources
US11522811B2 (en) 2005-04-07 2022-12-06 Iii Holdings 12, Llc On-demand access to compute resources
US11533274B2 (en) 2005-04-07 2022-12-20 Iii Holdings 12, Llc On-demand access to compute resources
US11831564B2 (en) 2005-04-07 2023-11-28 Iii Holdings 12, Llc On-demand access to compute resources
US11765101B2 (en) 2005-04-07 2023-09-19 Iii Holdings 12, Llc On-demand access to compute resources
US20060248015A1 (en) * 2005-04-28 2006-11-02 International Business Machines Corporation Adjusting billing rates based on resource use
US8572253B2 (en) 2005-06-17 2013-10-29 Adaptive Computing Enterprises, Inc. System and method for providing dynamic roll-back
US20060288251A1 (en) * 2005-06-17 2006-12-21 Cluster Resources, Inc. System and method for providing dynamic roll-back reservations in time
US8943207B2 (en) 2005-06-17 2015-01-27 Adaptive Computing Enterprises, Inc. System and method for providing dynamic roll-back reservations in time
US7996455B2 (en) 2005-06-17 2011-08-09 Adaptive Computing Enterprises, Inc. System and method for providing dynamic roll-back reservations in time
US20070016668A1 (en) * 2005-07-14 2007-01-18 International Business Machines Corporation Method and system for application profiling for purposes of defining resource requirements
US7707579B2 (en) 2005-07-14 2010-04-27 International Business Machines Corporation Method and system for application profiling for purposes of defining resource requirements
US20080222288A1 (en) * 2005-07-14 2008-09-11 International Business Machines Corporation Method and system for application profiling for purposes of defining resource requirements
US8918790B2 (en) * 2005-07-14 2014-12-23 International Business Machines Corporation Method and system for application profiling for purposes of defining resource requirements
US9311150B2 (en) 2005-07-14 2016-04-12 International Business Machines Corporation Method and system for application profiling for purposes of defining resource requirements
US9535766B2 (en) 2005-07-14 2017-01-03 International Business Machines Corporation Method and system for application profiling for purposes of defining resource requirements
CN100466657C (en) * 2005-12-06 2009-03-04 南京邮电大学 Access control decision-making device for grid computing environment
WO2007090866A1 (en) * 2006-02-09 2007-08-16 Thales Holdings Uk Plc Collaborative access control in a computer network
US11650857B2 (en) 2006-03-16 2023-05-16 Iii Holdings 12, Llc System and method for managing a hybrid computer environment
US10977090B2 (en) 2006-03-16 2021-04-13 Iii Holdings 12, Llc System and method for managing a hybrid compute environment
US8122500B2 (en) * 2006-06-23 2012-02-21 International Business Machines Corporation Tracking the security enforcement in a grid system
US20070300297A1 (en) * 2006-06-23 2007-12-27 Dawson Christopher J System and Method for Tracking the Security Enforcement in a Grid System
US8255535B2 (en) * 2006-07-28 2012-08-28 Cisco Technology, Inc. Method and system to generate execution-based scheduling signature for an application
US20080028075A1 (en) * 2006-07-28 2008-01-31 Petre Dini Method and system to generate execution-based scheduling signature for an application
US8209695B1 (en) * 2006-07-28 2012-06-26 Hewlett-Packard Development Company, L.P. Reserving resources in a resource-on-demand system for user desktop utility demand
US20080071804A1 (en) * 2006-09-15 2008-03-20 International Business Machines Corporation File system access control between multiple clusters
US20080134297A1 (en) * 2006-11-30 2008-06-05 Microsoft Corporation Advanced content authentication and authorization
US8473739B2 (en) * 2006-11-30 2013-06-25 Microsoft Corporation Advanced content authentication and authorization
US11522952B2 (en) 2007-09-24 2022-12-06 The Research Foundation For The State University Of New York Automatic clustering for self-organizing grids
US8595642B1 (en) * 2007-10-04 2013-11-26 Great Northern Research, LLC Multiple shell multi faceted graphical user interface
US11599332B1 (en) 2007-10-04 2023-03-07 Great Northern Research, LLC Multiple shell multi faceted graphical user interface
US20100281173A1 (en) * 2009-05-01 2010-11-04 Microsoft Corporation Delegated administration for remote management
US20100306394A1 (en) * 2009-05-29 2010-12-02 At&T Intellectual Property I, L.P. Systems and Methods to Make a Resource Available Via A Local Network
US8838815B2 (en) * 2009-05-29 2014-09-16 At&T Intellectual Property I, L.P. Systems and methods to make a resource available via a local network
US11526304B2 (en) 2009-10-30 2022-12-13 Iii Holdings 2, Llc Memcached server functionality in a cluster of data processing nodes
US11720290B2 (en) 2009-10-30 2023-08-08 Iii Holdings 2, Llc Memcached server functionality in a cluster of data processing nodes
US8559936B2 (en) * 2010-05-28 2013-10-15 Robert Bosch Gmbh Remote control of a telephone
US20110294490A1 (en) * 2010-05-28 2011-12-01 Robert Bosch Gmbh Remote control of a telephone
US8819632B2 (en) 2010-07-09 2014-08-26 Salesforce.Com, Inc. Techniques for distributing information in a computer network related to a software anomaly
US20120066760A1 (en) * 2010-09-10 2012-03-15 International Business Machines Corporation Access control in a virtual system
US20120089650A1 (en) * 2010-10-08 2012-04-12 Spectra Logic Corporation System and method for a storage system
US20120180039A1 (en) * 2011-01-11 2012-07-12 International Business Machines Corporation Automated Deployment of Applications with Tenant-Isolation Requirements
US9104514B2 (en) * 2011-01-11 2015-08-11 International Business Machines Corporation Automated deployment of applications with tenant-isolation requirements
US9825963B2 (en) * 2015-08-03 2017-11-21 Bank Of America Corporation Encapsulating commands within a control wrapper for multiple level review
US9838393B2 (en) 2015-08-03 2017-12-05 Bank Of America Corporation Encapsulating commands within a control wrapper for split entry or approval
US11050844B2 (en) * 2016-03-30 2021-06-29 Amazon Technologies, Inc. User controlled hardware validation
US11960937B2 (en) 2022-03-17 2024-04-16 Iii Holdings 12, Llc System and method for an optimizing reservation in time of compute resources based on prioritization function and reservation policy parameter

Also Published As

Publication number Publication date
US7421500B2 (en) 2008-09-02

Similar Documents

Publication Publication Date Title
US7421500B2 (en) Grid computing control system
US7475419B1 (en) System and method for controlling access in an interactive grid environment
US9076013B1 (en) Managing requests for security services
US7461144B1 (en) Virtual private server with enhanced security
McDaniel On context in authorization policy
US11489872B2 (en) Identity-based segmentation of applications and containers in a dynamic environment
US9594898B2 (en) Methods and systems for controlling access to resources and privileges per process
KR101076911B1 (en) System and method for providing security to an application
US9614855B2 (en) System and method for implementing a secure web application entitlement service
US7305701B2 (en) Methods and arrangements for controlling access to resources based on authentication method
US7644434B2 (en) Computer security system
US20170039380A1 (en) Unified system for authentication and authorization
EP1132796A1 (en) Mobile code and method for resource management for mobile code
US10757079B2 (en) Method and system for controlling remote session on computer systems using a virtual channel
US8688845B2 (en) Remote computing session feature differentiation
AU2001244194A1 (en) Mobile code and method for resource management for mobile code
JP2022531872A (en) Fine-grained token-based access control
CN111526111B (en) Control method, device and equipment for logging in light application and computer storage medium
GB2589664A (en) Systems and methods for event-based application control
Talwar et al. An environment for enabling interactive grids
US20150281281A1 (en) Identification of unauthorized application data in a corporate network
Basu et al. Interactive Grid Architecture for Application Service Providers.
Prasanalakshmi et al. Secure credential federation for hybrid cloud environment with SAML enabled multifactor authentication using biometrics
Cuppens et al. Availability enforcement by obligations and aspects identification
CN116707849A (en) Cloud service access authority setting method and cloud management platform for enclave instance

Legal Events

Date Code Title Description
AS Assignment

Owner name: HEWLETT-PACKARD COMPANY, COLORADO

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:TALWAR, VANISH;BASU, SUJOY;KUMAR, RAJENDRA;REEL/FRAME:013476/0815

Effective date: 20030122

AS Assignment

Owner name: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P., COLORAD

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEWLETT-PACKARD COMPANY;REEL/FRAME:013776/0928

Effective date: 20030131

Owner name: HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.,COLORADO

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEWLETT-PACKARD COMPANY;REEL/FRAME:013776/0928

Effective date: 20030131

AS Assignment

Owner name: HEWLETT-PACKARD DEVELOPMENT COMPANY L.P., TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEWLETT-PACKARD COMPANY;REEL/FRAME:014061/0492

Effective date: 20030926

Owner name: HEWLETT-PACKARD DEVELOPMENT COMPANY L.P.,TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEWLETT-PACKARD COMPANY;REEL/FRAME:014061/0492

Effective date: 20030926

CC Certificate of correction
FPAY Fee payment

Year of fee payment: 4

AS Assignment

Owner name: HEWLETT PACKARD ENTERPRISE DEVELOPMENT LP, TEXAS

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:HEWLETT-PACKARD DEVELOPMENT COMPANY, L.P.;REEL/FRAME:037079/0001

Effective date: 20151027

REMI Maintenance fee reminder mailed
LAPS Lapse for failure to pay maintenance fees
STCH Information on status: patent discontinuation

Free format text: PATENT EXPIRED DUE TO NONPAYMENT OF MAINTENANCE FEES UNDER 37 CFR 1.362

FP Lapsed due to failure to pay maintenance fee

Effective date: 20160902